[00:00.480 --> 00:04.220]  which is on Bitcoin Monero Atomic Swaps.
[00:04.220 --> 00:07.560]  I know this is a very hot level of research going on recently.
[00:07.560 --> 00:09.080]  There's a ton of interest.
[00:09.260 --> 00:12.740]  So, ZKAO, OK, you got the screen share going here.
[00:12.740 --> 00:14.420]  Hi, can you hear me?
[00:14.420 --> 00:15.960]  We can hear you, yes.
[00:15.960 --> 00:19.940]  I'm going to, since everything seems to be working on our end,
[00:19.940 --> 00:23.240]  I'm just going to hop off and just let you take it from here.
[00:23.240 --> 00:24.160]  How about that?
[00:24.960 --> 00:28.680]  Oh, yeah. So, basically, I would like to do it more interactively.
[00:28.680 --> 00:32.580]  So, feel very welcome to ask questions or ask questions
[00:32.580 --> 00:34.720]  that people drop on the chat.
[00:35.440 --> 00:43.600]  So, basically, in 2017, we were in CCC and we were discussing
[00:43.600 --> 00:46.420]  and we found it would be very interesting to create a project
[00:46.420 --> 00:52.640]  to swap Bitcoin for Monero in a trustless manner, atomically.
[00:52.640 --> 01:02.140]  And it was just because it sounded very, very interesting
[01:02.140 --> 01:07.800]  and my colleague Hashed couldn't get his head out of that
[01:07.800 --> 01:14.920]  and we ended up working on this project much more than we initially expected.
[01:14.920 --> 01:27.340]  So, one of the things that cryptocurrencies bring is this permissionless way
[01:27.340 --> 01:31.040]  of exchanging money online, for example, on the internet.
[01:31.820 --> 01:39.280]  Before, all the electronic money was intermediated.
[01:40.780 --> 01:42.900]  Can you actually see my screen?
[01:44.140 --> 01:47.160]  Yes, I can see your screen, yes.
[01:51.480 --> 01:58.580]  And there is an issue with this because we have cash in society
[01:58.580 --> 02:05.120]  and cash is a bearer, peer-to-peer, permissionless and privacy-preserving form of money.
[02:05.520 --> 02:10.820]  And who has it can spend it, has the right to spend it
[02:10.820 --> 02:13.360]  by having physical possession, peer-to-peer.
[02:13.360 --> 02:17.520]  You can just meet someone and give it to this person directly.
[02:17.680 --> 02:20.620]  If it's peer-to-peer, it's also permissionless.
[02:20.620 --> 02:24.220]  Nobody is on the way to intercept this transaction.
[02:24.300 --> 02:29.040]  And privacy-preserving, you can be locked in a room,
[02:29.040 --> 02:33.480]  give cash to someone and nobody else needs to know about it.
[02:34.280 --> 02:35.780]  And cash is legal.
[02:35.780 --> 02:44.980]  So, we should not downgrade our online money
[02:44.980 --> 02:52.360]  by accepting a totally transparent financial system like Bitcoin.
[02:52.360 --> 02:58.920]  We have to have ways to be able to exercise privacy by, for example,
[02:58.920 --> 03:03.560]  swapping Bitcoin into Monero and going into some private wall.
[03:03.560 --> 03:07.180]  But you should do that in a permissionless manner.
[03:07.180 --> 03:09.960]  Like, you should not ask permission to go private.
[03:10.440 --> 03:17.600]  So, it looks like from this definition of cash,
[03:17.600 --> 03:20.560]  Monero is cash and Bitcoin is almost.
[03:20.560 --> 03:23.080]  Bitcoin has this property of permissionless.
[03:23.080 --> 03:27.660]  So, you could spend your money in the wrong way
[03:27.660 --> 03:30.300]  and nobody could prevent you from doing that.
[03:30.300 --> 03:32.940]  However, because it's not privacy-preserving,
[03:33.600 --> 03:36.400]  people can watch what you're doing with your money
[03:36.400 --> 03:39.420]  and they might go after you because of that.
[03:39.420 --> 03:43.020]  So, this is very problematic in an open society.
[03:46.820 --> 03:52.580]  So, the way we see atomic swaps is more like a cash-to-cash exchange.
[03:52.580 --> 03:57.760]  So, you have euros and you meet someone who has US dollar,
[03:57.760 --> 04:01.700]  you agree on an exchange rate and you exchange it in private.
[04:01.700 --> 04:04.600]  Nobody else needs to get involved in this exchange.
[04:04.840 --> 04:07.380]  Only the people in the exchange.
[04:07.540 --> 04:11.860]  And we think that atomic swaps are very similar to this.
[04:11.860 --> 04:14.720]  So, it's a cash-to-cash exchange.
[04:15.120 --> 04:21.320]  And in the same way that you wouldn't want to...
[04:21.320 --> 04:26.720]  If someone tries to buy your motor for $2,000,
[04:26.720 --> 04:29.920]  you might take cash and not worry too much about it.
[04:29.920 --> 04:31.640]  But if you are trying to sell your house
[04:31.640 --> 04:34.380]  and somebody shows up with a million in cash,
[04:34.380 --> 04:36.480]  you are going to worry about it
[04:36.480 --> 04:39.280]  because you would want to know where it came from
[04:39.280 --> 04:44.760]  and if it's not counterfeit.
[04:44.760 --> 04:47.620]  So, there is like this natural tendency of people
[04:47.620 --> 04:52.020]  to judge the quality of what they're getting in exchange.
[04:52.420 --> 04:54.260]  So, like in the crypto space,
[04:54.260 --> 04:58.340]  now people are responsible for taking care of their private keys.
[04:58.340 --> 05:01.620]  They could also be responsible for not engaging
[05:01.620 --> 05:05.420]  into suspicious-looking transactions.
[05:05.420 --> 05:07.440]  Like if a transaction is too good to be true,
[05:07.440 --> 05:10.700]  it's probably not true.
[05:11.000 --> 05:18.200]  So, one thing that Monero would gain...
[05:18.200 --> 05:21.000]  So, Bitcoin users for sure would gain a lot of privacy
[05:21.000 --> 05:24.400]  by being able to switch to Monero
[05:24.400 --> 05:28.080]  in a trustless and permissionless manner.
[05:28.080 --> 05:31.540]  But what Monero gains from Bitcoin is its liquidity.
[05:31.540 --> 05:34.500]  It has like a hundred times higher market cap
[05:34.500 --> 05:37.480]  and it's much more easily accessible.
[05:37.480 --> 05:40.800]  So, Bitcoin is easy to get.
[05:40.800 --> 05:45.360]  And if you have a network that you can get Monero,
[05:45.360 --> 05:47.360]  exchange Monero atomically,
[05:47.360 --> 05:51.040]  then you could go into Monero for that path.
[05:51.520 --> 05:54.240]  So, it's very interesting to have permissionless entry
[05:54.240 --> 05:56.200]  into a privacy currency.
[05:57.740 --> 06:01.380]  It's not nice to have to ask for permission
[06:01.380 --> 06:03.360]  to go private.
[06:03.980 --> 06:07.080]  So, with this, I'm going to go
[06:07.080 --> 06:10.340]  and I'm going to try to go through the protocol
[06:11.300 --> 06:16.200]  in the form of a diagram.
[06:18.160 --> 06:20.320]  So, here first I'm going to show...
[06:20.320 --> 06:22.220]  This is the paper that includes...
[06:22.220 --> 06:24.900]  It's the complete paper after the research.
[06:24.900 --> 06:29.360]  So, this research started literally like three years ago
[06:31.840 --> 06:34.880]  and Hashed really did a good job
[06:34.880 --> 06:38.200]  and you can find the summary here.
[06:38.860 --> 06:41.900]  And so, I will...
[06:42.640 --> 06:46.720]  I think the easiest way to understand the atomic swap
[06:46.720 --> 06:48.900]  is to play for the protocol.
[06:48.900 --> 06:51.060]  And we have a representation of the protocol
[06:51.060 --> 06:52.660]  as a patronet.
[06:52.660 --> 06:54.480]  Can you guys tell me if you can see?
[06:54.480 --> 06:59.200]  If I zoom out, can you still see like this?
[07:00.160 --> 07:03.120]  Yes, we're largely able to see.
[07:03.140 --> 07:05.600]  I'm getting a good quality coming in from you.
[07:05.600 --> 07:09.400]  So, the people watching the stream should still be able to read the text.
[07:09.600 --> 07:10.960]  Okay, that's great.
[07:10.960 --> 07:13.040]  Okay, so I'm going to just show like this.
[07:13.040 --> 07:15.520]  So, here we have
[07:19.480 --> 07:21.760]  basically a protocol representation.
[07:21.760 --> 07:25.520]  So, here you have Bob who starts with Bitcoin in his private wallet
[07:25.520 --> 07:29.640]  and Alice that starts with Monero on her private wallet.
[07:30.080 --> 07:32.940]  And what if the protocol goes through
[07:32.940 --> 07:35.620]  like Alice should end up with Bitcoin
[07:35.620 --> 07:39.440]  and Bob should end up with Monero on their private wallets.
[07:39.800 --> 07:41.920]  And I'm going to play the protocol
[07:41.920 --> 07:44.040]  and slowly I'm going to explain more and more
[07:44.040 --> 07:46.380]  what each transaction does
[07:48.520 --> 07:50.580]  and how they're looking like.
[07:50.580 --> 07:54.060]  So, basically all the logic will happen on the Bitcoin side
[07:54.580 --> 07:59.000]  because Monero doesn't just fix keys.
[07:59.000 --> 08:02.300]  So, how we do it
[08:02.300 --> 08:06.440]  is like you do a whole game theory on the Bitcoin side.
[08:06.440 --> 08:10.120]  So, like Bob with Bitcoin is going to need the protocol
[08:10.120 --> 08:13.520]  by creating two transactions.
[08:13.880 --> 08:16.820]  A softlock transaction that's going to be the transaction
[08:16.820 --> 08:19.260]  that locks the Monero, the Bitcoin
[08:19.260 --> 08:22.300]  that is going to be sent to Alice.
[08:22.300 --> 08:25.580]  So, the locked Bitcoin is going to end up
[08:26.640 --> 08:29.360]  with this script on this output.
[08:32.120 --> 08:36.040]  And a transaction that is a refund transaction
[08:36.040 --> 08:40.500]  and Bob already partially signs it and sends it to Alice.
[08:41.000 --> 08:45.100]  And this refund transaction is going to spend the softlock output
[08:45.100 --> 08:49.380]  and give the money back to Bob, basically.
[08:49.380 --> 08:51.660]  So, this is a refund path.
[08:51.660 --> 08:54.600]  So, Alice checks the information that Bob gives
[08:54.600 --> 08:57.800]  and Alice signs the refund transaction
[08:58.600 --> 09:01.200]  because all the information is correct.
[09:01.700 --> 09:07.380]  And having the refund, Bob can safely lock the money
[09:07.380 --> 09:08.900]  on this softlock contract
[09:10.660 --> 09:13.280]  and publish it to the blockchain,
[09:13.280 --> 09:15.660]  wait for it to be mined,
[09:15.660 --> 09:20.960]  and the money is going to be on this very special output here.
[09:22.600 --> 09:25.200]  Nothing happened on the Monero chain yet.
[09:27.020 --> 09:32.120]  Alice has to lock her money as well.
[09:32.380 --> 09:35.140]  And Alice is going to feel convinced she should do it
[09:35.140 --> 09:37.460]  because she can see that the locked Bitcoin
[09:37.460 --> 09:39.480]  is locked in the correct address.
[09:39.480 --> 09:51.800]  So, basically, Alice locks her Monero in this special address.
[09:51.800 --> 09:55.800]  This address is derived by both Alice and Bob.
[09:56.760 --> 10:00.680]  Actually, none of them control this address.
[10:01.360 --> 10:04.680]  They only know half of the private keys.
[10:04.680 --> 10:07.020]  So, what is interesting now is that
[10:07.020 --> 10:09.980]  whoever learns the other half of the private key
[10:09.980 --> 10:12.520]  gets the Bitcoin.
[10:12.520 --> 10:13.940]  Gets the Monero, sorry.
[10:13.940 --> 10:18.220]  And it's either going to be a refund or a complete stop.
[10:18.220 --> 10:23.240]  So, at this point, Alice can't do anything.
[10:23.240 --> 10:27.100]  Bob has to reveal a special secret.
[10:27.100 --> 10:29.080]  This is just a synchronization secret.
[10:29.080 --> 10:31.180]  It's like the authorization of Bob
[10:31.180 --> 10:35.940]  to let Alice move on the protocol.
[10:37.660 --> 10:40.280]  So, Bob shares the secret.
[10:40.280 --> 10:44.000]  This secret is needed to unlock this output.
[10:44.000 --> 10:47.300]  So, this output needs this secret,
[10:47.300 --> 10:49.140]  synchronization secret.
[10:49.340 --> 10:52.660]  It needs Alice.
[10:53.840 --> 10:58.780]  This Alice half key is the private span key
[10:58.780 --> 11:02.440]  that is locking this output here.
[11:02.880 --> 11:05.020]  So, Bob has half of it.
[11:05.020 --> 11:06.480]  Alice has the other half.
[11:06.480 --> 11:11.080]  So, basically, in order for Alice to span this output,
[11:11.080 --> 11:12.740]  she's going to have to reveal this key.
[11:13.180 --> 11:15.540]  How does she reveal this key?
[11:15.540 --> 11:17.540]  It's through this...
[11:18.280 --> 11:24.200]  So, basically, we use this ECDSA adapter signature,
[11:24.200 --> 11:27.480]  which is basically like Alice's...
[11:28.000 --> 11:31.700]  Bob gives Alice an encrypted transaction
[11:31.700 --> 11:34.200]  that in order for her to...
[11:34.200 --> 11:35.540]  an encrypted signature
[11:35.540 --> 11:39.540]  and in order for her to decrypt the signature and use it here,
[11:40.420 --> 11:41.540]  she has to...
[11:43.160 --> 11:44.960]  when she decrypts it,
[11:44.960 --> 11:47.620]  she leaks this key, basically.
[11:47.980 --> 11:50.360]  Because if you have the decrypted...
[11:50.360 --> 11:53.340]  if Bob has the decrypted and the encrypted version of the signature,
[11:53.340 --> 11:55.440]  he can recover easily this key.
[11:55.900 --> 11:59.500]  So, basically, you force Alice to reveal this key
[12:00.880 --> 12:04.140]  and Alice gets the Bitcoin in her private wallet.
[12:04.140 --> 12:07.720]  Now, this key that got leaked can be used by Bob
[12:07.720 --> 12:11.340]  to claim his monero on the other side.
[12:11.620 --> 12:18.520]  So, that's how the protocol would run in the successful case.
[12:18.720 --> 12:22.740]  But, of course, there are tons of cases that are not the successful case.
[12:23.360 --> 12:29.780]  And, for example, I went back in time a little bit.
[12:31.560 --> 12:33.780]  For example, here, like...
[12:35.260 --> 12:38.580]  basically, Bob decides that he doesn't give the secret
[12:38.580 --> 12:41.840]  to authorize Alice to continue running the protocol.
[12:41.940 --> 12:43.480]  So, he doesn't trigger this.
[12:43.480 --> 12:44.380]  What can Alice do?
[12:44.380 --> 12:48.820]  The only thing she can do is, like, after a timeout,
[12:48.820 --> 12:50.780]  this is a...
[12:51.340 --> 12:54.860]  she can publish the refund transaction.
[12:55.520 --> 12:56.440]  Okay, now let's try...
[12:56.440 --> 12:58.960]  now we're going to understand a little bit the refund transaction.
[12:58.960 --> 13:03.040]  So, Alice published this refund transaction
[13:04.280 --> 13:06.560]  because Bob wasn't responsive.
[13:07.260 --> 13:09.040]  He wasn't triggering this one.
[13:09.040 --> 13:14.740]  And so, like, right now, if Bob does not become responsive,
[13:15.700 --> 13:19.880]  Alice is going to be able to take this path and take the Bitcoin.
[13:21.260 --> 13:25.740]  But, if Bob can, he should become responsive,
[13:25.740 --> 13:27.300]  otherwise he's going to lose his money.
[13:27.300 --> 13:32.660]  And he's going to try to consume this output.
[13:32.660 --> 13:36.220]  And, again, this is, like, the same scheme as before
[13:36.220 --> 13:37.570]  with adapter signature.
[13:37.860 --> 13:40.260]  And this key is going to get leaked
[13:40.260 --> 13:47.560]  by Bob decrypting Alice's signature
[13:47.560 --> 13:49.700]  that is needed on this transaction.
[13:50.640 --> 13:55.490]  And it's interesting now that because Bob leaked his monero key,
[13:56.270 --> 14:03.910]  Alice can claim her refund on the monero chain like this.
[14:04.850 --> 14:12.270]  So, this is very interesting because, like, we managed to...
[14:12.270 --> 14:16.430]  like, although we don't have any time lock or any scripting capability here,
[14:16.430 --> 14:22.850]  we managed to gain liveness by forcing Bob to act.
[14:22.850 --> 14:25.590]  So, we forced Bob to leak this key.
[14:25.770 --> 14:35.130]  And so, basically, we managed to make this protocol live
[14:35.130 --> 14:39.610]  just on the Bitcoin, with Game Theory on the Bitcoin side.
[14:40.350 --> 14:45.170]  And, yeah, so many things can happen here.
[14:45.170 --> 14:47.330]  Like, even things that should never happen.
[14:47.330 --> 14:51.310]  For example, let's go back in time.
[14:52.190 --> 14:53.310]  Should never happen? Not.
[14:53.310 --> 14:57.050]  It should happen on the protocol, but in practice it will not happen
[14:57.050 --> 14:58.670]  because of Game Theory.
[15:00.730 --> 15:02.250]  So, let's see.
[15:02.250 --> 15:13.460]  For example, if you would allow Alice not to lock her monero,
[15:13.460 --> 15:18.680]  if Alice just refuses to...
[15:18.680 --> 15:27.300]  So, Bitcoin is locked and Alice doesn't lock her monero.
[15:28.140 --> 15:32.900]  Then, like, Bob goes, OK, I'm going to claim the refund after time lock.
[15:34.840 --> 15:36.760]  And now, what if...
[15:37.380 --> 15:41.120]  So, there's this path, for example, here that Alice can spend the refund.
[15:41.300 --> 15:46.480]  So, if this would happen, Alice would end up with both Bitcoin and monero.
[15:46.480 --> 15:49.680]  And that's totally not an atomic swap.
[15:49.680 --> 15:55.560]  So, but this path is very important for the Game Theory that we explained before.
[15:55.560 --> 15:58.680]  It's to force Bob to react.
[15:58.680 --> 16:01.120]  So, in practice, this path would never happen
[16:03.320 --> 16:09.680]  because Bob can directly move the Bitcoin from this output into his private wallet
[16:09.680 --> 16:14.700]  by publishing this transaction and this transaction together.
[16:14.700 --> 16:21.620]  And this transaction, he could pay tons of fees to make it pay for the child.
[16:21.620 --> 16:23.220]  The parent pays for the child.
[16:23.480 --> 16:31.440]  Yeah, so, we are pretty convinced that...
[16:32.360 --> 16:40.860]  So, like, by basically embedding, like, the monero private spend keys
[16:40.860 --> 16:47.260]  as the encryption keys for, like, some Bitcoin signatures
[16:47.260 --> 16:56.520]  is a very, very interesting way to basically leak keys that can be used on the other chain.
[16:56.520 --> 17:04.080]  And with the trick that Sarag presented before, I explained before in previous talk,
[17:04.080 --> 17:07.800]  you can, like, because monero and Bitcoin use different curves,
[17:07.800 --> 17:12.920]  so you can prove that that key is actually the same on both sides.
[17:13.280 --> 17:17.500]  So, we're pretty convinced that the protocol is complete.
[17:18.720 --> 17:22.580]  Yeah, so, if you guys have any, like, questions specific to the protocol,
[17:22.580 --> 17:27.140]  I think it would be very interesting, especially now that we can try to play it.
[17:29.300 --> 17:31.180]  Sure, thank you so much.
[17:31.180 --> 17:35.340]  First, I just want to point out that, you know, I'm paying attention to the YouTube,
[17:35.340 --> 17:36.900]  I'm paying attention to Discord.
[17:36.900 --> 17:43.000]  Sarang Notor is still on, so if he does have any questions, of course, Sarang, hop on in.
[17:43.000 --> 17:45.180]  I guess, first question.
[17:46.740 --> 17:49.960]  So, you've architected the general process for how it works.
[17:49.960 --> 17:55.520]  What is the next step to implement this into, you know, a functional system?
[17:55.600 --> 17:57.380]  What does that look like?
[17:58.260 --> 18:12.600]  Oh, so, like, we have to first start organizing ourselves to see how big of a project this can be,
[18:12.600 --> 18:15.240]  in terms of how many people should work on it.
[18:15.240 --> 18:26.800]  Like, we are currently, like, three people, and maybe we want to work with more people on this project if it happens.
[18:26.800 --> 18:34.100]  Like, basically, we're still, like, in the phase of trying to write some timeline of a project,
[18:34.100 --> 18:43.020]  like some deliverables that we know are necessary, let's say, prerequisites for achieving the final goal.
[18:43.020 --> 18:54.060]  And, yeah, so basically, I think in the next months or so, I think we're going to basically present this to the community
[18:54.060 --> 19:04.020]  and make a CCS proposal, and depending on how it goes, then we decide how much...
[19:05.100 --> 19:07.820]  I will see how much effort we can put into it.
[19:08.220 --> 19:11.340]  So, but there's a lot of things to be done.
[19:12.060 --> 19:13.100]  Understood.
[19:15.300 --> 19:23.400]  On the GitHub page that you shared, and I also sent this on YouTube for people to see, I'll post it in Discord also,
[19:23.400 --> 19:26.120]  is this diagram available there, too?
[19:27.040 --> 19:33.400]  Oh, the issue with this diagram is that it uses, like, some weird software to play it.
[19:34.320 --> 19:40.040]  And, yeah, like, today, my housemate took, like, two hours to get it to work.
[19:41.700 --> 19:52.900]  So, well, we can... the description, it's easy to give, but this software is, like, very weird.
[19:53.360 --> 19:58.120]  Great SPN editor. But I could share the diagrams, but...
[19:58.120 --> 20:03.540]  Yeah, I can't say I've heard of this before, but even, like, a PDF export or something.
[20:04.040 --> 20:06.280]  Oh, yeah, that's for sure.
[20:07.560 --> 20:08.760]  That's easier.
[20:09.240 --> 20:15.200]  So, I think that, yeah, we can share the subgraphs, for sure, like this, but it's...
[20:15.200 --> 20:22.100]  We want to eventually make a playable JavaScript thing out of this, but we have to do it by hand.
[20:24.620 --> 20:25.240]  Yeah.
[20:25.320 --> 20:31.040]  Okay, understood. It is really cool to see a walkthrough of this, because I know that you publish some stuff on GitHub.
[20:31.040 --> 20:35.600]  I personally haven't really looked through it in full detail, just I don't have those skills personally.
[20:35.600 --> 20:38.400]  I know other people in the community are excited and have looked at it.
[20:38.400 --> 20:44.760]  So, it is cool to be able to sit down and have this walked through right in front of me.
[20:44.760 --> 20:50.240]  I think it's a very good initial starting point to get some of the ideas in here.
[20:50.600 --> 20:51.360]  Sorry.
[20:52.120 --> 20:52.640]  No, go ahead.
[20:52.640 --> 20:53.540]  Sorry, sorry.
[20:53.660 --> 20:54.620]  You go ahead.
[20:56.260 --> 20:58.880]  So, I think it's...
[20:58.880 --> 21:07.060]  So, this kind of diagram helps you bind together all the information, because you have all these Bitcoin transactions.
[21:07.260 --> 21:13.280]  And it's a little hard to see what are the requirements of them and things like that.
[21:13.280 --> 21:22.600]  And here, it becomes like, oh, you see the function, and you see the function of a transaction.
[21:22.600 --> 21:32.960]  It's like, oh, this transaction is making him leak that key, or it's forcing him to act quick before that path becomes available.
[21:32.960 --> 21:38.080]  And I think this is where this kind of diagram...
[21:38.080 --> 21:39.160]  It's called Petronas.
[21:39.160 --> 21:42.300]  They bind everything together, and it's much easier to go through it.
[21:42.300 --> 21:44.320]  And this is actually a form of diagram.
[21:44.360 --> 21:46.460]  It's not just a graph.
[21:50.730 --> 21:51.210]  So...
[21:51.210 --> 21:53.290]  I did have one question.
[21:55.910 --> 21:58.010]  99.9% sure I know the answer.
[21:58.010 --> 22:04.830]  But I think it's helpful to ask anyway, just to clarify, especially for anyone else who maybe hasn't read your PDF yet.
[22:05.590 --> 22:11.910]  This doesn't require any particular protocol changes to either the Bitcoin or the Monero side.
[22:11.910 --> 22:12.850]  Is that right?
[22:12.850 --> 22:14.850]  Yes, that's right.
[22:14.850 --> 22:24.670]  I seem to remember seeing a couple of questions just in other media that basically seem to imply, like, when would a network upgrade enable this?
[22:24.670 --> 22:30.210]  Just to be clear, there wouldn't need to be network upgrades to enable this.
[22:30.210 --> 22:32.690]  I mean, in theory, people could be doing this right now.
[22:32.690 --> 22:36.430]  Although, it seems very unlikely without software support, right?
[22:36.870 --> 22:37.350]  Yeah.
[22:37.770 --> 22:41.690]  So, for sure, we don't need anything right now.
[22:41.690 --> 22:46.470]  Even the ECDSA has been done already.
[22:46.470 --> 22:49.450]  We were totally unaware of this work.
[22:49.550 --> 22:54.810]  But it looks like very high quality, so I think we can just use it.
[22:56.750 --> 23:01.870]  So, basically, we just use a normal key in Monero.
[23:01.870 --> 23:03.290]  And in Bitcoin, it's scripts.
[23:03.290 --> 23:08.510]  There is fingerprinting from the Bitcoin script.
[23:08.510 --> 23:14.530]  So, people are going to be able to possibly tell that, oh, this was probably an atomic swap.
[23:14.650 --> 23:17.670]  Like, this follows, like, that protocol there.
[23:17.730 --> 23:31.450]  So, however, after taproot, softfork, I think it's vip341, like, we could hide this protocol in the success cases if people all agree on it.
[23:31.450 --> 23:33.570]  So, then it would be pretty interesting.
[23:33.610 --> 23:38.390]  Because then we wouldn't have any trace left on the Bitcoin blockchain about the swap.
[23:38.610 --> 23:44.210]  Okay, sorry, just to be clear, you may have said this and maybe I just wasn't listening closely enough.
[23:44.230 --> 23:58.910]  So, as far as the softfork is concerned, are you saying that's a softfork in Monero or Bitcoin to enable that, where in the best of cases, if it goes through and there are no contentious problems, that it would be much more difficult to mark the Bitcoin as related to a swap?
[23:58.910 --> 24:02.970]  Sorry, so softfork, is that related to Monero or Bitcoin?
[24:03.250 --> 24:09.750]  Bitcoin. Sorry, this is Bitcoin. It's like the, it's the bip-schnorr, bip-taproot, tap-script.
[24:09.750 --> 24:18.910]  It's like, so it's if, when Bitcoin gets schnorr, Bitcoin is going to get taproot as well.
[24:19.830 --> 24:22.950]  So, it's, that's what I'm talking about.
[24:22.950 --> 24:32.110]  So, but before, you can look at it and say, oh, that could be an atomic swap. After that, then you can't say anything. So, it's very interesting.
[24:32.450 --> 24:38.550]  Okay, very interesting. That'll help prevent surveillance software from just marking it all as higher risk.
[24:39.850 --> 24:40.650]  Yeah.
[24:48.310 --> 24:55.350]  Okay, this is the last question. Just putting it out there for those that are watching this on YouTube or anything, if you have any questions, now's a great chance to answer them.
[24:55.350 --> 25:01.410]  We have just a few minutes left. Although, it doesn't seem like this research team is going anywhere. It looks like they're just getting started.
[25:01.590 --> 25:03.490]  They have their work cut out for themselves.
[25:06.670 --> 25:09.870]  But it is exciting to hear about it.
[25:11.010 --> 25:14.610]  Really no questions coming in. Serene, did you have anything else that you wanted to get at?
[25:15.090 --> 25:16.490]  He may have walked away.
[25:17.170 --> 25:20.690]  No, no, no, I'm here. No, I think this is, I think this is extremely exciting.
[25:20.690 --> 25:30.410]  I think, I think there's still, you know, questions to ask about, you know, especially with, you know, what was brought up about, you know, possible fingerprinting, I think is very important.
[25:30.430 --> 25:37.330]  You know, I think making sure that it's clearly understood what the privacy implications are about how the transactions are initialized.
[25:37.570 --> 25:42.210]  Initially, and there have been some talk on the research lab channel about this too.
[25:42.670 --> 25:50.590]  But, you know, I mean, this is great, you know, previously when it was first brought up, it was kind of this, you know, if only we had, you know, proven systems that could show this particular
[25:50.590 --> 25:58.870]  quality, and we're like, yeah, wouldn't that be great. And now it turns out like this adapter signature and cross group stuff can be done. So I guess very exciting.
[25:59.830 --> 26:09.130]  Yeah, I have to say when I first saw the pitch of like Monero Bitcoin atomic swaps, I just assumed it was someone trying to pitch like a centralized exchange that they were just calling a swap.
[26:09.950 --> 26:16.590]  And then I had to do a little bit further to be like, oh, actually, these people are not kidding around. This is actually something that's, that's not just...
[26:16.590 --> 26:25.890]  Yeah, we started at CCC and we were just like, how do we make Bitcoin private?
[26:27.370 --> 26:34.670]  And I guess one last question that I have that's, you know, that is mentioned in the paper.
[26:35.090 --> 26:37.730]  Yeah, I think it's actually mentioned pretty clearly in the paper too.
[26:37.730 --> 26:53.290]  That this is not just limited to Monero or to Bitcoin. In the paper, I know you and your colleagues talk about kind of pretty specifically what the requirements are for each of the different kind of types of chains and protocols. Is that right?
[26:54.370 --> 27:03.070]  Yeah, like, basically, like, think about it. How much are we using of Monero here? Like, it's just a normal address.
[27:03.070 --> 27:13.610]  So it's like, there's nothing special there. So anything that has as much capability as Monero can be one side of the Bitcoin trade.
[27:13.610 --> 27:23.710]  But so like, if you go, so Bitcoin is already very capable. So if you go to things that are more capable than Bitcoin, then it's like, gets even easier.
[27:23.710 --> 27:36.370]  But of course, then you get more fingerprinting, like, even like, so you have like, like much deeper traces of what you've been doing left on chain.
[27:36.370 --> 27:57.750]  So yeah, like, so for sure, like, and I think the trick of the cross group equality that that makes like the bridge between any elliptic curve, I think, like, so then like, you can just basically cross across any, any chain, basically, if you can, if you can produce these groups.
[27:57.750 --> 28:13.350]  So I think it's, it's, it's pretty, like the protocol itself, because we can play like the game theory only once on one side, it shows it that it's possible to build stuff with very limited resources, I think protocols should be very minimal.
[28:13.350 --> 28:27.350]  And, and, and like, we cannot use complicated primitives, or let's say complicated systems to deal with simple things like, like accounting.
[28:29.270 --> 28:35.610]  And it sounds like on the Bitcoin side, at least, maybe the big limitation right now is just ECDSA. Is that right?
[28:36.610 --> 28:47.450]  Oh, yeah, that makes things like ugly and hard. Like, like, yeah, to do that, the adopter signature on Schnorr would be trivial.
[28:48.250 --> 28:50.010]  For example.
[28:53.270 --> 28:56.890]  Cool. Thanks for the questions.
[28:57.470 --> 29:05.730]  Thank you. I know we were brought in here at the last minute to do something, but it was definitely worth it. It was great to have you included at DEF CON.
